CVE-2022-33746 — Improper Resource Shutdown or Release in XEN

CWE-404 — Improper Resource Shutdown or Release CWE-400 — Uncontrolled Resource Consumption4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 88.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN Debian Linux +1 more

Timeline

PublishedOct 11

Description

P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 2.0 | Impact: 4.0

Affected Packages3 packages

▶debiandebian/xen< xen 4.16.2+90-g0d39a6d1ae-1 (bookworm)

▶Debianxen/xen< 4.14.5+86-g1c354767d5-1+3

▶NVDxen/xen4.13.0 — 4.16.1

Also affects: Debian Linux 11.0, Fedora 35, 36, 37

Patches

Patch: www.openwall.com ↗Patch: xenbits.xen.org ↗Patch: xenbits.xenproject.org ↗

🔴Vulnerability Details

OSV

CVE-2022-33746: P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size↗2022-10-11

▶

GHSA

GHSA-r55p-5rm2-vqg9: P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size↗2022-10-11

▶

📋Vendor Advisories

Debian

CVE-2022-33746: xen - P2M pool freeing may take excessively long The P2M pool backing second level add...↗2022

▶